Open FlorianRuen opened 1 year ago
FlorianRuen
commented
1 year ago @sk-keeper Any update on this ?
I've creatd a config.json, so I can launch using a alias keeper_ssh
So I don't need to type my vault password every time
But my terminal is still blocking after this, and If I close the terminal, the agent stop, and I can't connect to my ssh session without my key password beging entered ...
sk-keeper
commented
1 year ago It is not possible to start the Commander in background mode. At least we have never tested this flow here in Keeper.
craiglurey
commented
1 year ago Hi @FlorianRuen we're working on some improved developer tools and would like to get your feedback. Please shoot me an email at craig@keepersecurity.com so we can schedule a time.
FlorianRuen
commented
1 year ago It is not possible to start the Commander in background mode. At least we have never tested this flow here in Keeper.
Thanks, but should be a very great feature to handle this use case (or at least an option, we launching Linux Keeper App, to start the SSH agent in background or something)
Hi @FlorianRuen we're working on some improved developer tools and would like to get your feedback. Please shoot me an email at craig@keepersecurity.com so we can schedule a time.
Sent!
FlorianRuen
commented
1 year ago @sk-keeper I think a good way to proceed here can be a custom command such as kssh user@host (keeper ssh) that use ssh-agent directly
Maybe the infinite loop here isn't really useful here: https://github.com/Keeper-Security/Commander/blob/5ecb335356e46b7f6e8c94a31a5343fdc83fbb37/keepercommander/commands/ssh_agent.py#L800
Do you accept open PR on this repo ? If i find some time, I can suggest something Don't know if it should be inside Commander or in separate project, but I know many ssh agent that works with this kind of command
sk-keeper
commented
1 year ago Commander already has ssh command.
https://docs.keeper.io/secrets-manager/commander-cli/command-reference/connection-commands/ssh
If this command finds ssh key on a record then it loads this key into system's ssh-agent and starts system's ssh command.
Similar mysql and postgresql commands make database connection.
There is also connect command that can run any system utility but it is confusing and hard to use.
https://docs.keeper.io/secrets-manager/commander-cli/command-reference/connection-commands/connection-to-hosts
FlorianRuen
commented
1 year ago @sk-keeper I understand, and I agree the connect command isn't very easy to use, so not an option for me
So, there is no possibility to run the ssh-agent in background ? Because it can be a very helpful way to use keeper ssh keys
sk-keeper
commented
1 year ago Unfortunately Commander is not designed to be run in background.
evilhamsterman
commented
1 year ago The ssh and connect commands aren't very useful to other tools that use the ssh-agent like git. Once #1088 is resolved it could be run in a script on login/startup, though I'd argue that it's something that would be useful spun of into it's own agent.
sk-keeper
commented
1 year ago We are open to any suggestion on how to make this area more useful.
connect command (ssh is a special version of it) can load private keys into the system's ssh-agent and run other programs that may use it. The key are removed from ssh-agent when program exits.
There is no any command that just loads keys keeping them in the ssh-agent.
We haven't had such request and we do not want to add commands that leak sensitive data outside of the Commander.
ssh-agent command replaces the system's ssh-agent. We know it lacks key management from the Commander: add/remove keys. It requires Commander to be running.
Are you looking for a command that loads private key into the system's ssh-agent and leaves it their?
craiglurey
commented
1 year ago We're discussing and will revert back to you with some ideas. If you have additional suggestions on these types of tools please keep sending them over.
evilhamsterman
commented
1 year ago The ssh and connect commands don't integrate well with tools like git or sftp which don't really connect to a server it just uses SSH as a transport. I'm not even sure how it would work through either of them, ssh just opens a ssh session but you aren't doing that for git, and connect appears to require setting up the command to run in the record, which I'm not going to edit a record everytime to run things like git pull and git push. I guess you could setup connect to load the key in agent and connect to a random server so the key stays in the agent while you run git but that is a horrible workflow. Plus your own documentation says the connect command is deprecated since 16.5.8.
I can see how, once my issue mentioned above is resolved, you could have a script that runs and backgrounds a keeper process to keep the agent running. But either loading/unloading keys into the system agent or run the keeper ssh-agent by itself in the background would be much better. Adding and removing keys isn't important if you are using Keeper to store them, though that would be a nice feature later, maybe even some way to save keys loaded into the agent to your vault, or have keeper generate keys for you. Something like keeper keygen -t ed25519 -T "my new key" generates the key, saves it to a record called "my new key" and loads it in the agent.
I'm sure some of this overlaps with KCM, but that's a full suite, this would be useful for smaller use cases like personal accounts. Basically though if you're going to offer an ssh-agent it should be like any other agent and able to be run as a daemon/background process.
standard3
commented
10 months ago Is there any updates on this issue ?
AlexisPPLIN
commented
10 months ago I also have this issue. So I made a little bash script to work around this problem: https://github.com/AlexisPPLIN/keeper-ssh-agent-daemon
I hope it can help some people out there. (Contributions are open obviously)
FlorianRuen
commented
4 months ago @craiglurey any update on this, to improve the connect feature ?
craiglurey
commented
3 months ago We are launching a new Connection capability directly in the vault. This will be the best way to use SSH connections from Keeper. We'll be in a preview environment in about 1 month or so.
Craig Lurey | CTO & Co-founder
On Thu, Jul 4, 2024 at 5:26 AM Florian Ruen @.***> wrote:
@craiglurey https://github.com/craiglurey any update on this, to improve the connect feature ?
— Reply to this email directly, view it on GitHub https://github.com/Keeper-Security/Commander/issues/965#issuecomment-2208850219, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAQXAEHBLBNKTNXIR4NPNUTZKU5OBAVCNFSM6AAAAABKLOKCRCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBYHA2TAMRRHE . You are receiving this because you were mentioned.Message ID: @.***>
evilhamsterman
commented
3 months ago @craiglurey I don't think you quite understand the request. We don't want to launch SSH connections from the vault. We want to use our existing tooling that utilizes SSH and can speak to and SSH agent to authenticate. For instance Ansible uses SSH to connect to servers to perform configuration and maintenance. Unless launching from the vault supplies an ssh-agent socket I'm not sure how Ansible can utilize that.
And honestly it's not a feature I think I would use frequently, when I'm working in the terminal it's faster and easier for me to just type ssh <user>@<hostname> or many times I even create aliases for frequent hosts. I don't want to have to leave my terminal, open the vault, authenticate if needed, find the server I want to connect to, click the button and wait for it to open a terminal whether that's in the vault directly or opening a new terminal window.
evilhamsterman
commented
3 months ago @craiglurey it's like my comment earlier. SSH is much more than just a remote shell that we want to use to connect to a server terminal. It's more like a encrypted transport protocol. There are many tools that utilize it to establish a secure session and transmit more than just text back and forth for a terminal. To integrate those tools need to communicate with a ssh-agent socket, otherwise we have to store the key on disk either in cleartext or encrypted. Cleartext is obviously bad, and if it's encrypted unless it's loaded in an agent we have to type the password everytime to decrypt it, and when you're running Ansible on several hundred systems that gets tedious realllly fast
FlorianRuen
commented
3 months ago @craiglurey @evilhamsterman I agree with that, and I would also go further, apart from ssh, I use scp quite regularly to copy files to a host and a remote server, which also requires access to the key ...
And so in this case, from what I understand the subject will still be a problem, because using the vault will open a session directly (maybe by providing a path to the key, or a different method), but nothing more
craiglurey
commented
3 months ago Understood. We are adding the SSH agent service to the Keeper Desktop app as well. This will function exactly how Commander loads up the keys and makes them available from any terminal. Does this address the issue or are you looking for an installed service outside of the desktop app and Commander? It seems redundant to add another installed service but we are open to the suggestions.
On Thu, Aug 22, 2024 at 11:49 PM Florian Ruen @.***> wrote:
@craiglurey https://github.com/craiglurey @evilhamsterman https://github.com/evilhamsterman I agree with that, and I would also go further, apart from ssh, I use scp quite regularly to copy files to a host and a remote server, which also requires access to the key ...
And so in this case, from what I understand the subject will always be a problem
— Reply to this email directly, view it on GitHub https://github.com/Keeper-Security/Commander/issues/965#issuecomment-2306410799, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAQXAECXABXR7RJZLFU5QBDZS3LRHAVCNFSM6AAAAABKLOKCRCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMBWGQYTANZZHE . You are receiving this because you were mentioned.Message ID: @.***>
FlorianRuen
commented
3 months ago @craiglurey
To use the standard SSH command, we currently have to launch Commander, start the SSH agent, and keep Commander running since the SSH agent cannot run in the background. This setup is cumbersome because Commander needs to remain open for the SSH agent to be active.
A better approach would be to log in to Keeper (either through the Commander CLI or the desktop app). If the SSH agent is enabled, it should automatically use the SSH keys stored in Keeper whenever an SSH command is run.
This process could be triggered at Linux login, with automatic authentication using a Keeper password stored in a file. This way, the SSH keys would be available immediately after login without needing to manually start Commander each time.
evilhamsterman
commented
3 months ago Understood. We are adding the SSH agent service to the Keeper Desktop app as well. This will function exactly how Commander loads up the keys and makes them available from any terminal. Does this address the issue or are you looking for an installed service outside of the desktop app and Commander? It seems redundant to add another installed service but we are open to the suggestions.
Running the ssh-agent in the Desktop app is a great solution and exactly what we need. Will it be available on all platforms or just *nix? With the inclusion of ssh in Windows now we have more people using the ssh client from there.
@FlorianRuen I don't think that having the agent unlock using a file saved on your desktop is a good idea. That isn't much better than just storing your ssh key in the clear. If you want something like Keychain from the OS those integrate with the security chip like a TPM to decrypt. I think that's another question altogether.
FlorianRuen
commented
3 months ago @evilhamsterman I mean, the ssh agent can try to find the key on Keeper, if locked ask for the Master password one time (and expire after X minutes) and continue the login to ssh instance
Without more action than ssh host@password
evilhamsterman
commented
3 months ago Thinking a little bit more, the Desktop App is a great option, but I do think having a CLI only option would still be good too. Sometimes you could easily forward the agent from a desktop but other times not as easily. I'm thinking for situations that don't have a GUI but you don't access via ssh like Codespaces.
evilhamsterman
commented
3 months ago @evilhamsterman I mean, the ssh agent can try to find the key on Keeper, if locked ask for the Master password one time (and expire after X minutes) and continue the login to ssh instance
Without more action than ssh host@password
That sounds like what @craiglurey is proposing with the desktop app. I assume you start the desktop app like you normally do now, but it would start an ssh-agent socket with any keys it finds
FlorianRuen
commented
3 months ago So if its the case, seems a good solution!
craiglurey
commented
3 months ago Yes, so there are many ways that people will be able to connect via SSH to targets (or just open SSH tunnels) with this new system:
If you're interested in a demo, I can show you what's coming.
Hello there,
I'm using Keeper since many years now, but I'm new user of the SSH agent, to use all my keys stored in my Keeper Vault
For now, after my session opens, I need to :
keeper ssh-agent startssh user@hostMy ideal solution would be to first be able to launch in the background, and if the ssh-agent can launch at startup, just my asking for the vault password or something (or even if, using a password from command line arguments or something ?)
There is a way to achieve this kind of behavior ?
Kindly,